BlackPhone still ‘vulnerable’ to remote attack

BlackPhone’s recently fixed vulnerability in its instant messaging application made the phone more prone to attack, as it allowed attackers to decrypt messages, steal contacts, and control vital functions of the device making, a security expert claimed.

According to the Azimuth Security principal consultant Mark Dowd attackers only needed the targeted individuals phone number or Silent Circle ID to remotely exploit a bug in the phone.

The attacker could decrypt and read messages, monitor geographic locations of the phone, write code or text to the phone’s external storage and find out details of the accounts stored on the device.

However, according to Azimuth Security, the flaw has been fixed by Silent Circle and BlackPhone through app stores and product updates.

The vulnerability was found in SilentText which is a significant feature of the BlackPhone and is also available as a free Android app for Google Play.

The messaging service allows users to send texts over an encrypted channel, which is managed using ‘Silent Circle Instant Message Protocol’ (SCIMP) which provides SCIMP provides end-to-end encryption.

The vulnerability was found in SCIMP implementation which might allow the attacker to directly overwrite a pointer in memory and let the attacker exploit the data.

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up